...
An attempt is made to read as many as
lenbytes, but a smaller number may be read, possibly zero.
Both read() methods return as soon as they find available input data. As a result, these methods can stop reading data before the array is filled because the available data may be insufficient to fill the array.
The documentation for the analogous read methods in Reader return the number of characters read, which implies that they also need not fill the char array provided as an argument.
Ignoring the result returned by the read() methods is a violation of EXP00-J. Do not ignore values returned by methods. Security issues can arise even when return values are considered because the default behavior of the read() methods lacks any guarantee that the entire buffer array is filled. Consequently, when using read() to fill an array, the program must check the return value of read() and must handle the case where the array is only partially filled. In such cases, the program may try to fill the rest of the array, or work only with the subset of the array that was filled, or throw an exception.
...